What is the General Data Protection Regulation (GDPR)?
The General Data Protection Regulation (GDPR) is the European Union’s data protection and privacy law, designed to safeguard the personal data of individuals within the bloc. It empowers EU residents with the right to access, correct, and erase the personal information that organisations collect and hold about them.
GDPR sets strict requirements for data collection, processing, storage, and consent, making it one of the most far-reaching data privacy regulations globally. It applies to all organisations processing or handling the personal data of EU residents, regardless of the business’s location.
Adopted in 2016 and enforced on May 25, 2018, the GDPR replaced the 1995 Data Protection Directive, modernising data privacy rules in line with the advancing digital age. It also helped address discrepancies between data protection laws across EU member states.
According to the European Council, the GDPR is the world's strongest privacy and security law. It has had a global impact, becoming a gold standard in how companies worldwide approach data privacy and compliance. The GDPR has also inspired similar regulations elsewhere, such as the California Consumer Privacy Act (CCPA) in the US.
How does the GDPR define ‘personal data’?
Within the framework of the GDPR, personal data is defined as any information that can help directly or indirectly identify an individual (also called a “data subject”).
Data used for direct identification includes names, ID numbers, and email addresses. Information used for indirect identification of a person includes location, IP addresses, online identifiers, and certain characteristics (e.g., physical, economic, or social traits).
The regulation also introduces a special category of personal data, which includes details about racial or ethnic origin, health, political opinions, religious beliefs, sexual orientation, and more. Organisations processing such sensitive information should be granted explicit consent or must meet strict conditions under Article 9 of the GDPR.
By adopting a broad and flexible definition of personal data, the GDPR ensures protection in various contexts, especially in today’s digital environment, where individuals can be identified through combinations of seemingly non-sensitive data.
Core data protection principles of GDPR
The foundational idea of GDPR is to make it difficult for companies to mislead consumers with vague language when it comes to collecting, storing, and handling personal data.
To do that, the regulation introduces seven core data protection principles:
Lawfulness, fairness, and transparency: Personal data must be processed legally, fairly, and transparently.
Purpose limitation: Data must be collected for specified, explicit, and legitimate purposes and not used in ways incompatible with those purposes.
Data minimisation: Only data that is adequate, relevant, and limited to what is necessary should be collected and processed.
Accuracy: Personal data must be updated, while inaccurate data should be corrected or erased promptly.
Storage limitation: Data must be kept no longer than necessary for the purposes for which it was collected.
Integrity and confidentiality: Data must be processed securely and backed by appropriate technical and organisational measures to prevent unauthorised access or loss.
Accountability: Organisations must demonstrate compliance with all the abovementioned principles.
The lawful basis for collecting data
Under GDPR, organisations must have a lawful basis to collect, use, or store personal data. Alternatively, they should justify any processing of personal data under one of the following specific legal grounds, outlined in Article 6 of the regulation: consent, contract, legal obligation, vital interests, public task, and legitimate interests.
“Consent” in this context means that the organisation is granted unambiguous permission to process the data (e.g., the user agreeing to an email subscription). Executing or entering into a contract, complying with a legal obligation, or performing a task in the public interest are also considered lawful bases for data processing.
Organisations may also process data if they are acting in one’s vital interests (e.g., a medical facility trying to save somebody’s life). The legitimate interest lawful basis is very flexible, which grants organisations some degree of freedom in collecting and processing data. However, it clearly states that a data subject's fundamental rights and freedoms always override the organisation’s interests.
Data collection and processing on grounds other than those listed above is considered unlawful and can result in fines, sanctions, and reputational damage.
Key privacy rights for data subjects under GDPR
To provide individuals (data subjects) greater control over how their personal data is used, stored, and shared, the GDPR defines seven rights. Based on them, individuals can request the following:
A copy of their data and information about its use (Right to access)
Corrections to inaccurate or incomplete personal data (Right to rectification)
The deletion of their personal data when it is no longer needed or has been processed unlawfully (Right to erasure/Right to be forgotten)
That the processing of their data be limited under certain conditions (Right to restrict processing)
To receive their data in a structured, commonly used, machine-readable format and transmit it to another controller (Right to data portability)
To object to data processing based on legitimate interests, public tasks, or direct marketing (Right to object)
To not be subject to decisions based solely on automated processing that significantly affects them, including profiling (Rights related to automated decision-making and profiling)
Thanks to these rights, data subjects are better protected from misleading information, adequately notified of the data collected, and promptly asked for consent in the information-gathering process.
For organisations, understanding the key privacy rights entailed in the GDPR is essential to ensure compliance.
Compliance requirements for businesses under GDPR
GDPR sets out clear compliance obligations for businesses that process the personal data of individuals in the EU.
One core requirement is “privacy by design and by default,” which means organisations must embed privacy and data protection principles into all systems, processes, and products from the outset.
To demonstrate accountability and transparency to regulators and data subjects, businesses must also maintain detailed Records of Processing Activities (RoPA) under Article 30. The procedure documents what personal data is collected, why it is processed, who it is shared with, and how long it is retained.
Organisations also have the obligation to implement appropriate security measures in line with the risk involved in their data processing procedures. In cases where data processing might result in high risks to individuals’ rights and freedoms (e.g., processing sensitive data), organisations must conduct Data Protection Impact Assessments (DPIAs). These are procedures that identify risks which might arise during data processing activities and mitigate them as early as possible.
In the event of a data breach, the business must report it to the relevant supervisory authority within 72 hours — and inform affected individuals without delay if there’s a high risk to their rights.
Certain organisations, such as public bodies, companies conducting large-scale monitoring (e.g., Google), or entities processing special categories of data (under Article 9 and Article 10) must appoint a Data Protection Officer (DPO). The DPO oversees GDPR compliance, advises on DPIAs, and serves as a point of contact with regulators. Some organisations can also choose to appoint a DPO even if they aren’t legally required to.
For non-EU companies that offer goods or services to EU residents or monitor their behaviour, GDPR requires appointing a representative within the bloc. The representative acts as a contact for supervisory authorities and data subjects on all GDPR-related matters, ensuring that businesses outside the EU remain accountable under the regulation.
For a more detailed overview of privacy rights, head here.
Enforcement and penalties for not complying with GDPR
GDPR is enforced by independent supervisory authorities in each EU member state, such as the Commission Nationale de l'Informatique et des Libertés (CNIL) in France and the Federal Commissioner for Data Protection and Freedom of Information (BfDI) in Germany.
The heads of the national data protection authorities of all countries in the European Economic Area, alongside the European Data Protection Supervisor (EDPS), form the European Data Protection Board (EDPB). The EDPB is an independent European body with a legal personality that ensures consistent application of the GDPR and promotes cooperation across the EU’s data protection authorities. Regulators can issue warnings, order organisations to cease data processing, and impose administrative fines.
GDPR considers some violations more severe than others, so it has introduced a two-tiered penalty structure for non-compliance (detailed categorisation of articles, based on the severity of the infringement, is available here). For less severe violations, fines can reach up to €10 million or 2% of global annual turnover, whichever is higher. For more serious breaches — such as violations of the data processing principles or data subject rights — fines can be up to €20 million, or 4% of global annual turnover from the preceding financial year (whichever is higher).
Since the GDPR came into effect in May 2018, there have been several high-profile enforcement actions, including a €1.2 billion fine to Meta due to transfers of personal data to the US. There was also a €746 million fine against Amazon imposed by Luxembourg’s data protection authority, CNPD.
While early enforcement centred on major tech firms, today, supervisory authorities are broadening their focus to include small and mid-sized enterprises, particularly in the healthcare, retail, and e-commerce sectors. As a result, GDPR compliance has become an essential requirement for businesses of all sizes.
How to make your business GDPR-compliant
One way to make а business GDPR-compliant is to adhere to an industry-level Code of Conduct approved by the governing supervisory authority. These guidelines are usually prepared by a business association and may be given EU-wide validity through an implementing act of the European Commission.
Another way is by adhering to a certification mechanism from an accredited certification body or a national accreditation body.
Organisations can also choose to design their own GDPR compliance frameworks by adhering to the following best practices:
Initial assessments
GDPR compliance starts with determining the lawful basis for processing personal data (e.g., consent, contract, legal obligation) and the information the organisation can collect, process, and store based on its activity and customer interaction specifics.
This is usually done through detailed audits that map data flows, identifying what information is collected and how, where it’s stored, who has access, and with whom it’s shared. It is critical for the business only to collect data that is necessary, relevant and used for a specific purpose.
Setting the organisational structure
Depending on its activities, the organisation may be required to appoint a DPO or conduct DPIAs for high-risk case processing. Procedures should also be in place to notify supervisory authorities within 72 hours in the event of a data breach. Businesses operating outside the EU but serving EU residents must also appoint an EU-based representative.
Implementing technical measures and vetting third parties
Technical processes and procedures need to be set in place to avoid non-compliance. Some of these include applying data protection by design (and by default), encrypting sensitive information, limiting access to data, and ensuring regular staff training on data protection practices.
Furthermore, it’s essential to be cautious when granting third parties (such as vendors) access to customers’ data. According to authorities, if a third party misuses data, this doesn’t necessarily absolve the organisation in question of responsibility. This means it’s important to carefully screen and vet third-party vendors to ensure they have a good track record for data security.
Companies partnering with Fourthline on everything from identity verification to remediation can rest assured that their customers’ data is safeguarded in compliance with stringent data protection regulations, privacy laws, and security standards such as GDPR, ISO/IEC 27001 2013, and ISAE 3000 TYPE 2.
Ongoing monitoring and data policy updates
Compliance isn't a one-time task — it’s an ongoing commitment to protecting personal data and respecting individual rights. That makes continuous monitoring, record-keeping, and documentation key to maintaining compliance and demonstrating accountability. As a result, businesses should regularly review their data protection practices, update internal policies, and stay informed of changes in GDPR enforcement.
GDPR FAQs
Does GDPR apply to businesses not based in the European Union?
GDPR applies to businesses outside the EU if they target individuals within the bloc through their products or services or monitor EU residents’ behaviour online. This extraterritorial scope ensures that non-EU organisations handling Europeans’ personal data are subject to the same data protection obligations as EU-based companies.
What's the difference between a data controller and a data processor?
According to the GDPR, the data controller defines the purpose (why) and means (how) of processing personal data, while a data processor handles data on the controller’s behalf.
In B2B relationships, businesses often act as controllers and delegate processing to one or more third parties that serve as processors. However, the overall responsibility for data protection generally lies with the data controller.
How does GDPR compliance relate to other privacy regulations (CCPA, CPRA, etc.)?
GDPR is the pioneering, most stringent data protection policy worldwide. It has inspired the design of the CCPA and the California Privacy Rights Act of 2020 (CPRA). While each privacy regulation has specific requirements, they also share core principles regarding data transparency, user rights, and accountability. However, due to its rigorous standards and complexity, compliance with GDPR often provides a strong foundation for meeting other global privacy regulations with minimal additional effort.
